17

Strong Passwords & Firebase Auth

How to Require Strong Passwords with Firebase Authentication

To require strong passwords with Firebase Authentication, you can implement custom password validation logic on the client-side before submitting the password to Firebase. Firebase itself does not enforce specific password strength requirements (like length, special characters, etc.) by default, so you’ll need to create this logic in your Next.js app.

Here’s how you can implement strong password requirements with Firebase Auth:

1. Define Password Strength Criteria

First, define what constitutes a strong password. For example, you might require:

  • A minimum of 8 characters
  • At least one uppercase letter
  • At least one lowercase letter
  • At least one number
  • At least one special character

2. Create a Password Validation Function

You can use regular expressions to check if the password meets the criteria. Here’s an example password validation function:

function validatePassword(password) {
  const minLength = 8;
  const hasUpperCase = /[A-Z]/.test(password);
  const hasLowerCase = /[a-z]/.test(password);
  const hasNumbers = /\d/.test(password);
  const hasSpecialChar = /[!@#$%^&*(),.?":{}|<>]/.test(password);
 
  if (password.length < minLength) {
    return { valid: false, error: "Password must be at least 8 characters long." };
  }
  if (!hasUpperCase) {
    return { valid: false, error: "Password must contain at least one uppercase letter." };
  }
  if (!hasLowerCase) {
    return { valid: false, error: "Password must contain at least one lowercase letter." };
  }
  if (!hasNumbers) {
    return { valid: false, error: "Password must contain at least one number." };
  }
  if (!hasSpecialChar) {
    return { valid: false, error: "Password must contain at least one special character." };
  }
 
  return { valid: true };
}

3. Implement Password Validation Before Submission

When a user attempts to sign up or reset their password, use this validation function to ensure the password is strong before sending it to Firebase. Here’s an example of how you can integrate this in your sign-up form in Next.js:

import { getAuth, createUserWithEmailAndPassword } from "firebase/auth";
 
const signUpUser = async (email, password) => {
  const auth = getAuth();
  
  const passwordValidation = validatePassword(password);
  if (!passwordValidation.valid) {
    // Display error message
    console.log(passwordValidation.error);
    return;
  }
 
  try {
    const userCredential = await createUserWithEmailAndPassword(auth, email, password);
    // User successfully created
    console.log("User created:", userCredential.user);
  } catch (error) {
    console.error("Error signing up:", error);
  }
};

That's It

Enforcing strong passwrods for Firebase Auth users is pretty straightforward. Ideally though you'd could use a third party solution that comes with strong passwords and other security features built in but I'll save that for a separate blog post.